security: harden gitignore and add config example files [v1.3.7]
- Expanded .gitignore: root venv, npx_cache, AI metadata (.remember, .claude), data/ (SQLite DB), frontend/config/, frontend/public/icons/, certificates, docker-compose.override.yml - Removed backend/config/ldap_config.json from git tracking (contains real IPs/credentials) - Added backend/config/ldap_config.json.example with placeholder template - Updated backend/.env.example: added JWT_SECRET_KEY, ALLOWED_ORIGINS, DATA_DIR, LOGS_DIR
This commit is contained in:
81
.gitignore
vendored
81
.gitignore
vendored
@@ -1,11 +1,80 @@
|
||||
# ============================================================
|
||||
# TFM aInventory — .gitignore
|
||||
# ============================================================
|
||||
|
||||
# ── Python environments ──────────────────────────────────────
|
||||
.venv/
|
||||
backend/venv/
|
||||
**/__pycache__/
|
||||
*.pyc
|
||||
*.pyo
|
||||
*.pyd
|
||||
*.egg-info/
|
||||
dist/
|
||||
build/
|
||||
|
||||
# ── Runtime data (databases, configs w/ secrets) ─────────────
|
||||
data/
|
||||
backend/data/
|
||||
backend/logs/
|
||||
frontend/logs/
|
||||
__pycache__/
|
||||
*.pyc
|
||||
# LDAP config contains real server IPs and credentials — never commit
|
||||
# The active config is: backend/config/ldap_config.json (read by the app)
|
||||
# Duplicate/orphan copies are also excluded:
|
||||
backend/ldap_config.json
|
||||
backend/config/ldap_config.json
|
||||
backend/data/ldap_config.json
|
||||
# Keep example files tracked:
|
||||
!backend/config/ldap_config.json.example
|
||||
|
||||
# ── Environment files (secrets) ──────────────────────────────
|
||||
.env
|
||||
.DS_Store
|
||||
aInventory-PROD*
|
||||
aInventory-PROD*.zip
|
||||
.env.*
|
||||
!.env.example
|
||||
backend/.env
|
||||
backend/.env.*
|
||||
!backend/.env.example
|
||||
# Docker environment override file
|
||||
docker-compose.override.yml
|
||||
.env.docker
|
||||
|
||||
# ── Application logs ─────────────────────────────────────────
|
||||
logs/
|
||||
frontend/logs/
|
||||
|
||||
# ── Frontend build artifacts ──────────────────────────────────
|
||||
frontend/.next/
|
||||
frontend/out/
|
||||
frontend/build/
|
||||
frontend/node_modules/
|
||||
|
||||
# ── Frontend generated/runtime assets ────────────────────────
|
||||
# SSL certs and runtime configs (generated by start_server.sh)
|
||||
frontend/config/
|
||||
# PWA icons generated at build time
|
||||
frontend/public/icons/
|
||||
|
||||
# ── npm / npx caches ─────────────────────────────────────────
|
||||
.npx_cache/
|
||||
scratch/npm_cache/
|
||||
*.log
|
||||
npm-debug.log*
|
||||
yarn-debug.log*
|
||||
yarn-error.log*
|
||||
|
||||
# ── Production bundles (generated by export_prod.sh) ─────────
|
||||
aInventory-PROD*/
|
||||
aInventory-PROD*.zip
|
||||
|
||||
# ── AI / IDE metadata ─────────────────────────────────────────
|
||||
.remember/
|
||||
.claude/
|
||||
|
||||
# ── macOS system files ────────────────────────────────────────
|
||||
.DS_Store
|
||||
**/.DS_Store
|
||||
|
||||
# ── Certificates & keys ──────────────────────────────────────
|
||||
*.pem
|
||||
*.key
|
||||
*.crt
|
||||
*.cert
|
||||
|
||||
12
VERSION.json
12
VERSION.json
@@ -1,10 +1,10 @@
|
||||
{
|
||||
"version": "1.3.6",
|
||||
"last_build": "2026-04-11-1714",
|
||||
"commit": "ccc69d92",
|
||||
"version": "1.3.7",
|
||||
"last_build": "2026-04-11-1936",
|
||||
"commit": "pending",
|
||||
"changelog": [
|
||||
"v1.3.5: Security audit complete. JWT Bearer auth (C-01), rate limiting (H-02), CORS config (M-01), and all code comments translated to English (STRICT ENGLISH POLICY)",
|
||||
"v1.3.4: Created USER_GUIDE.md for end-users and integrated into export bundle",
|
||||
"v1.3.3: Added comprehensive project README.md documenting all operational modes"
|
||||
"v1.3.7: Security hardening — expanded .gitignore (venv, caches, ldap configs, AI metadata), removed backend/config/ldap_config.json from git tracking, added ldap_config.json.example and updated .env.example",
|
||||
"v1.3.6: Scanner UI redesign (autonomous OCR, countdown), Item Type datalist, save-version automation",
|
||||
"v1.3.5: Security audit complete. JWT Bearer auth (C-01), rate limiting (H-02), CORS config (M-01), and all code comments translated to English (STRICT ENGLISH POLICY)"
|
||||
]
|
||||
}
|
||||
@@ -1,5 +1,25 @@
|
||||
# Google Gemini API Key
|
||||
GEMINI_API_KEY=your_gemini_key_here
|
||||
# ============================================================
|
||||
# TFM aInventory — Backend Environment Variables
|
||||
# Copy this file to .env and fill in real values.
|
||||
# NEVER commit the real .env file to Git!
|
||||
# ============================================================
|
||||
|
||||
# Anthropic Claude API Key
|
||||
CLAUDE_API_KEY=your_claude_key_here
|
||||
# --- AI API Keys ---
|
||||
# Google Gemini API Key (required for AI label OCR onboarding)
|
||||
GEMINI_API_KEY=your_gemini_api_key_here
|
||||
|
||||
# --- Security ---
|
||||
# JWT secret key — generate a strong random value for production:
|
||||
# python3 -c "import secrets; print(secrets.token_urlsafe(64))"
|
||||
# If not set, an ephemeral key is generated per-run (tokens invalidated on restart).
|
||||
JWT_SECRET_KEY=change-me-generate-a-secure-random-value
|
||||
|
||||
# --- CORS ---
|
||||
# Comma-separated list of allowed frontend origins
|
||||
# Example for LAN deployment:
|
||||
# ALLOWED_ORIGINS=http://192.168.1.100:3000,https://192.168.1.100:3003
|
||||
ALLOWED_ORIGINS=http://localhost:3000,https://localhost:3003
|
||||
|
||||
# --- Data Paths (overridden by start_server.sh / docker-compose) ---
|
||||
# DATA_DIR=/absolute/path/to/data
|
||||
# LOGS_DIR=/absolute/path/to/logs
|
||||
|
||||
@@ -1 +0,0 @@
|
||||
{"ldap_enabled": true, "server_uri": "ldap://192.168.84.107:3890", "base_dn": "dc=example,dc=com", "user_template": "cn={username},ou=people,dc=example,dc=com", "groups_dn": "ou=groups", "use_tls": false, "role_mappings": [{"group": "inventory_admins", "role": "admin"}, {"group": "inventory_users", "role": "user"}]}
|
||||
19
backend/config/ldap_config.json.example
Normal file
19
backend/config/ldap_config.json.example
Normal file
@@ -0,0 +1,19 @@
|
||||
{
|
||||
"_comment": "Copy this file to ldap_config.json and fill in real values. NEVER commit ldap_config.json to Git.",
|
||||
"ldap_enabled": false,
|
||||
"server_uri": "ldap://YOUR_LDAP_SERVER_IP:389",
|
||||
"base_dn": "dc=yourdomain,dc=com",
|
||||
"user_template": "cn={username},ou=people,dc=yourdomain,dc=com",
|
||||
"groups_dn": "ou=groups",
|
||||
"use_tls": false,
|
||||
"role_mappings": [
|
||||
{
|
||||
"group": "inventory_admins",
|
||||
"role": "admin"
|
||||
},
|
||||
{
|
||||
"group": "inventory_users",
|
||||
"role": "user"
|
||||
}
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user